feat(ocis): Transition to oCIS and enhance deployment
Removes the full Nextcloud stack (PostgreSQL/CNPG, Valkey, Caddy) and deploys oCIS at drive.tr1ceracop.de. oCIS is self-contained — no external database or cache needed. Key design decisions: - S3ng storage backend on Hetzner Object Storage (ocis-tr1ceracop) - Chart fetched via vendir git source (not published to a Helm repo) - All secrets generated in-cluster via PreSync init Job (never in git) - Memory requests on all pods to prevent node overcommit - Persistence on local-path for metadata (idm, nats, search, storage) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Felix Wolf
parent
ffa171bfb0
commit
0daee9f7f9
11
CLAUDE.md
11
CLAUDE.md
|
|
@ -74,6 +74,11 @@ kubectl apply -f rendered/envs/production/<app>/ --server-side # Deploy
|
||||||
## Container Images
|
## Container Images
|
||||||
- **Never use bitnami images.** Use `alpine/k8s` or plain `alpine` for utility Jobs instead.
|
- **Never use bitnami images.** Use `alpine/k8s` or plain `alpine` for utility Jobs instead.
|
||||||
|
|
||||||
## Secrets (not in git)
|
## Secrets
|
||||||
- `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated)
|
- **Never commit secrets to git.** This is a public repository.
|
||||||
- `argocd/argocd-initial-admin-secret` — ArgoCD admin password (auto-generated)
|
- **All secrets must be generated in-cluster** using init Jobs (ArgoCD PreSync hooks) that create secrets if they don't already exist. See `prototypes/ocis/ytt/s3-secret-job.ytt.yaml` for the pattern.
|
||||||
|
- **External secrets** (e.g. S3 credentials) that cannot be generated must be created manually in the cluster before deploying. The init Job should validate their existence and fail fast if missing.
|
||||||
|
- When adding a new application that uses a Helm chart generating secrets, configure all `secretRefs` to point to pre-created secret names and use an init Job to generate them.
|
||||||
|
- Known external secrets (not in git, created manually):
|
||||||
|
- `ocis/ocis-s3-credentials` — Hetzner S3 access key and secret key
|
||||||
|
- `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated by cert-manager)
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
# Nextcloud: Data Safety & Infrastructure Transparency
|
# oCIS: Data Safety & Infrastructure Transparency
|
||||||
|
|
||||||
This is a quick guide to show how I've set things up, where your data actually lives, and what happens if something breaks. My main goal is to make sure your files are **never permanently lost**, even if the service goes offline for a bit.
|
This is a quick guide to show how I've set things up, where your data actually lives, and what happens if something breaks. My main goal is to make sure your files are **never permanently lost**, even if the service goes offline for a bit.
|
||||||
|
|
||||||
|
|
@ -9,43 +9,38 @@ I use a multi-region setup in Europe so that your files and settings aren't stuc
|
||||||
| **Data Type** | **Primary Location** | **Infrastructure** | **Privacy** |
|
| **Data Type** | **Primary Location** | **Infrastructure** | **Privacy** |
|
||||||
| :--- | :--- | :--- | :--- |
|
| :--- | :--- | :--- | :--- |
|
||||||
| **Your Files** (Photos, etc.) | Nuremberg, Germany | S3 Object Storage (NBG1) | EU (GDPR) |
|
| **Your Files** (Photos, etc.) | Nuremberg, Germany | S3 Object Storage (NBG1) | EU (GDPR) |
|
||||||
| **Settings & Shares** | Nuremberg, Germany | Replicated PostgreSQL Cluster | EU (GDPR) |
|
| **User Accounts & Metadata** | Nuremberg, Germany | Local persistent storage on cluster nodes | EU (GDPR) |
|
||||||
| **Emergency File Backups** | Helsinki, Finland | Storage Box Vault (HEL1) | EU (GDPR) |
|
| **Emergency File Backups** | Helsinki, Finland | Storage Box Vault (HEL1) | EU (GDPR) |
|
||||||
| **Database Backups** | Falkenstein, Germany | S3 Object Storage (FSN1) | EU (GDPR) |
|
|
||||||
|
|
||||||
## 2. Technical Setup & Reliability
|
## 2. Technical Setup & Reliability
|
||||||
|
|
||||||
I’m using a modern "cloud-native" stack to keep things stable:
|
I'm using a modern "cloud-native" stack to keep things stable:
|
||||||
|
|
||||||
* **3-Node Server Cluster:** The Nextcloud app runs across three different server nodes. I keep at least two active copies running at all times. If one server crashes, the system automatically moves your connection to a healthy one.
|
* **3-Node Server Cluster:** The oCIS application runs as a set of microservices across three different server nodes. If one server crashes, the system automatically moves your connection to a healthy one.
|
||||||
|
|
||||||
* **S3 Storage Redundancy:** Your files are stored using "Erasure Coding." This means they are split into fragments and spread across many physical disks. The system can handle three disks dying at the exact same time without losing a single byte of your data.
|
* **S3 Storage Redundancy:** Your files are stored using "Erasure Coding." This means they are split into fragments and spread across many physical disks. The system can handle three disks dying at the exact same time without losing a single byte of your data.
|
||||||
|
|
||||||
* **SQL Database Replication:** Your account settings and calendars are managed by a PostgreSQL cluster. This is mirrored across multiple volumes so that a single disk failure doesn't lock you out of your account.
|
* **Self-Contained Architecture:** Unlike traditional setups, oCIS doesn't require an external database. User accounts, metadata, and file structure are managed by built-in services with their own persistent storage.
|
||||||
|
|
||||||
## 3. The "Never Unrecoverable" Guarantee
|
## 3. The "Never Unrecoverable" Guarantee
|
||||||
|
|
||||||
I don't guarantee 100% "up-time" (the site might go down for maintenance or if a datacenter has a major issue), but I follow a 3-Region Safety Rule to prevent data loss:
|
I don't guarantee 100% "up-time" (the site might go down for maintenance or if a datacenter has a major issue), but I follow a multi-region safety approach to prevent data loss:
|
||||||
|
|
||||||
* **Daily Sync to Finland:** Every 24 hours, the system automatically mirrors all files from the Nuremberg storage to a separate **Storage Box** in Helsinki.
|
* **Daily Sync to Finland:** Every 24 hours, the system automatically mirrors all files from the Nuremberg storage to a separate **Storage Box** in Helsinki.
|
||||||
|
|
||||||
* **Database Dumps:** Every day, I export a compressed SQL dump of the database and store it in a different S3 bucket in Falkenstein.
|
|
||||||
|
|
||||||
* **Immutable Snapshots:** The backup vault in Helsinki uses "Snapshots." These are read-only versions of the past. If a bug accidentally deletes something, I can "roll back" the storage to how it looked yesterday.
|
* **Immutable Snapshots:** The backup vault in Helsinki uses "Snapshots." These are read-only versions of the past. If a bug accidentally deletes something, I can "roll back" the storage to how it looked yesterday.
|
||||||
|
|
||||||
## 4. Technologies I Use
|
## 4. Technologies I Use
|
||||||
|
|
||||||
If you're curious about the specific tools I'm using to run this, here is the tech stack:
|
If you're curious about the specific tools I'm using to run this, here is the tech stack:
|
||||||
|
|
||||||
* [**Nextcloud**](https://nextcloud.com/): The core collaboration platform for your files, contacts, and calendars.
|
* [**oCIS (ownCloud Infinite Scale)**](https://owncloud.dev/ocis/): The core file sync and share platform for your files. A modern, self-contained Go application.
|
||||||
|
|
||||||
* [**Kubernetes**](https://kubernetes.io/): The "brain" that manages my 3-node cluster and ensures the apps stay running.
|
* [**Kubernetes**](https://kubernetes.io/): The "brain" that manages my 3-node cluster and ensures the apps stay running.
|
||||||
|
|
||||||
* [**PostgreSQL**](https://www.postgresql.org/): The high-performance database engine that stores all your account settings and metadata.
|
|
||||||
|
|
||||||
* [**Hetzner**](https://www.hetzner.com/): The German cloud provider where all the physical servers are located.
|
* [**Hetzner**](https://www.hetzner.com/): The German cloud provider where all the physical servers are located.
|
||||||
|
|
||||||
* [**Object Storage (S3)**](https://www.hetzner.com/de/storage/object-storage/): The specific high-durability service used for storing your actual files in Nuremberg and backups in Falkenstein.
|
* [**Object Storage (S3)**](https://www.hetzner.com/de/storage/object-storage/): The specific high-durability service used for storing your actual files in Nuremberg.
|
||||||
|
|
||||||
* [**Storage Box**](https://www.hetzner.com/storage/storage-box/): The independent storage vault in Helsinki used for the daily file mirrors and snapshots.
|
* [**Storage Box**](https://www.hetzner.com/storage/storage-box/): The independent storage vault in Helsinki used for the daily file mirrors and snapshots.
|
||||||
|
|
||||||
|
|
@ -58,10 +53,9 @@ The following table shows the total monthly costs for the entire setup. These ar
|
||||||
| **Component** | **Description** | **Cost (Approx.)** |
|
| **Component** | **Description** | **Cost (Approx.)** |
|
||||||
| :--- | :--- | :--- |
|
| :--- | :--- | :--- |
|
||||||
| **Servers (Nodes)** | 3x Cloud Instances (**CAX11 ARM64**) | \~€13.50 |
|
| **Servers (Nodes)** | 3x Cloud Instances (**CAX11 ARM64**) | \~€13.50 |
|
||||||
| **PostgreSQL Volumes** | High-speed block storage for database replication | \~€2.00 |
|
| **S3 Object Storage** | Primary file storage (NBG1) | \~€7.72\* |
|
||||||
| **S3 Object Storage** | Primary storage (NBG1) & DB backups (FSN1) | \~€7.72\* |
|
|
||||||
| **Storage Box** | 1 TB Backup Vault in Helsinki (BX11) | \~€3.81 |
|
| **Storage Box** | 1 TB Backup Vault in Helsinki (BX11) | \~€3.81 |
|
||||||
| **TOTAL** | **Combined platform cost** | **\~€27.03** |
|
| **TOTAL** | **Combined platform cost** | **\~€25.03** |
|
||||||
|
|
||||||
*\*The S3 base price includes the first 1 TB of storage and 1 TB of egress traffic. If usage exceeds these limits, pay-as-you-go rates apply (approx. €7.74 per additional TB).*
|
*\*The S3 base price includes the first 1 TB of storage and 1 TB of egress traffic. If usage exceeds these limits, pay-as-you-go rates apply (approx. €7.74 per additional TB).*
|
||||||
|
|
||||||
|
|
@ -81,6 +75,6 @@ The following table shows the total monthly costs for the entire setup. These ar
|
||||||
| :--- | :--- | :--- |
|
| :--- | :--- | :--- |
|
||||||
| **A single server fails** | Nothing / Minimal lag | Automatic move to a healthy server node. |
|
| **A single server fails** | Nothing / Minimal lag | Automatic move to a healthy server node. |
|
||||||
| **You accidentally delete a file** | It's gone | I can try to pull it from the 24h Helsinki Snapshot vault. |
|
| **You accidentally delete a file** | It's gone | I can try to pull it from the 24h Helsinki Snapshot vault. |
|
||||||
| **Major Datacenter Disaster** | Site goes offline | I'll rebuild the setup in a new region using the SQL dumps and File mirrors. |
|
| **Major Datacenter Disaster** | Site goes offline | I'll rebuild the setup in a new region using the S3 data and file mirrors. |
|
||||||
|
|
||||||
*I update this whenever I change the hardware or backup routine. Last update: April 2026.*
|
*I update this whenever I change the hardware or backup routine. Last update: April 2026.*
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
# Nextcloud: Datensicherheit & Infrastruktur-Transparenz
|
# oCIS: Datensicherheit & Infrastruktur-Transparenz
|
||||||
|
|
||||||
Dies ist eine kurze Anleitung, die zeigt, wie ich alles eingerichtet habe, wo eure Daten tatsaechlich liegen und was passiert, wenn etwas schiefgeht. Mein Hauptziel ist es sicherzustellen, dass eure Dateien **niemals dauerhaft verloren gehen**, selbst wenn der Dienst mal kurzzeitig offline ist.
|
Dies ist eine kurze Anleitung, die zeigt, wie ich alles eingerichtet habe, wo eure Daten tatsaechlich liegen und was passiert, wenn etwas schiefgeht. Mein Hauptziel ist es sicherzustellen, dass eure Dateien **niemals dauerhaft verloren gehen**, selbst wenn der Dienst mal kurzzeitig offline ist.
|
||||||
|
|
||||||
|
|
@ -9,43 +9,38 @@ Ich verwende ein Multi-Region-Setup in Europa, damit eure Dateien und Einstellun
|
||||||
| **Datentyp** | **Primaerer Standort** | **Infrastruktur** | **Datenschutz** |
|
| **Datentyp** | **Primaerer Standort** | **Infrastruktur** | **Datenschutz** |
|
||||||
| :--- | :--- | :--- | :--- |
|
| :--- | :--- | :--- | :--- |
|
||||||
| **Eure Dateien** (Fotos etc.) | Nuernberg, Deutschland | S3 Object Storage (NBG1) | EU (DSGVO) |
|
| **Eure Dateien** (Fotos etc.) | Nuernberg, Deutschland | S3 Object Storage (NBG1) | EU (DSGVO) |
|
||||||
| **Einstellungen & Freigaben** | Nuernberg, Deutschland | Replizierter PostgreSQL-Cluster | EU (DSGVO) |
|
| **Benutzerkonten & Metadaten** | Nuernberg, Deutschland | Lokaler persistenter Speicher auf Cluster-Nodes | EU (DSGVO) |
|
||||||
| **Notfall-Datei-Backups** | Helsinki, Finnland | Storage Box Vault (HEL1) | EU (DSGVO) |
|
| **Notfall-Datei-Backups** | Helsinki, Finnland | Storage Box Vault (HEL1) | EU (DSGVO) |
|
||||||
| **Datenbank-Backups** | Falkenstein, Deutschland | S3 Object Storage (FSN1) | EU (DSGVO) |
|
|
||||||
|
|
||||||
## 2. Technisches Setup & Zuverlaessigkeit
|
## 2. Technisches Setup & Zuverlaessigkeit
|
||||||
|
|
||||||
Ich verwende einen modernen "Cloud-Native"-Stack, um alles stabil zu halten:
|
Ich verwende einen modernen "Cloud-Native"-Stack, um alles stabil zu halten:
|
||||||
|
|
||||||
* **3-Node-Server-Cluster:** Die Nextcloud-App laeuft auf drei verschiedenen Server-Nodes. Ich halte immer mindestens zwei aktive Kopien am Laufen. Wenn ein Server abstuerzt, leitet das System eure Verbindung automatisch auf einen funktionierenden um.
|
* **3-Node-Server-Cluster:** Die oCIS-Anwendung laeuft als eine Reihe von Microservices auf drei verschiedenen Server-Nodes. Wenn ein Server abstuerzt, leitet das System eure Verbindung automatisch auf einen funktionierenden um.
|
||||||
|
|
||||||
* **S3-Speicher-Redundanz:** Eure Dateien werden mittels "Erasure Coding" gespeichert. Das bedeutet, sie werden in Fragmente aufgeteilt und auf viele physische Festplatten verteilt. Das System kann den gleichzeitigen Ausfall von drei Festplatten verkraften, ohne ein einziges Byte eurer Daten zu verlieren.
|
* **S3-Speicher-Redundanz:** Eure Dateien werden mittels "Erasure Coding" gespeichert. Das bedeutet, sie werden in Fragmente aufgeteilt und auf viele physische Festplatten verteilt. Das System kann den gleichzeitigen Ausfall von drei Festplatten verkraften, ohne ein einziges Byte eurer Daten zu verlieren.
|
||||||
|
|
||||||
* **SQL-Datenbank-Replikation:** Eure Kontoeinstellungen und Kalender werden von einem PostgreSQL-Cluster verwaltet. Dieser wird ueber mehrere Volumes gespiegelt, sodass ein einzelner Festplattenausfall euch nicht aus eurem Konto aussperrt.
|
* **Eigenstaendige Architektur:** Im Gegensatz zu traditionellen Setups benoetigt oCIS keine externe Datenbank. Benutzerkonten, Metadaten und Dateistruktur werden von integrierten Diensten mit eigenem persistentem Speicher verwaltet.
|
||||||
|
|
||||||
## 3. Die "Niemals unwiederbringlich verloren"-Garantie
|
## 3. Die "Niemals unwiederbringlich verloren"-Garantie
|
||||||
|
|
||||||
Ich garantiere keine 100%ige Verfuegbarkeit (die Seite kann fuer Wartungsarbeiten oder bei einem groesseren Rechenzentrumsproblem offline gehen), aber ich befolge eine 3-Regionen-Sicherheitsregel, um Datenverlust zu verhindern:
|
Ich garantiere keine 100%ige Verfuegbarkeit (die Seite kann fuer Wartungsarbeiten oder bei einem groesseren Rechenzentrumsproblem offline gehen), aber ich befolge einen Multi-Regionen-Sicherheitsansatz, um Datenverlust zu verhindern:
|
||||||
|
|
||||||
* **Taegliche Synchronisation nach Finnland:** Alle 24 Stunden spiegelt das System automatisch alle Dateien vom Nuernberger Speicher auf eine separate **Storage Box** in Helsinki.
|
* **Taegliche Synchronisation nach Finnland:** Alle 24 Stunden spiegelt das System automatisch alle Dateien vom Nuernberger Speicher auf eine separate **Storage Box** in Helsinki.
|
||||||
|
|
||||||
* **Datenbank-Dumps:** Jeden Tag exportiere ich einen komprimierten SQL-Dump der Datenbank und speichere ihn in einem anderen S3-Bucket in Falkenstein.
|
|
||||||
|
|
||||||
* **Unveraenderbare Snapshots:** Der Backup-Vault in Helsinki verwendet "Snapshots". Das sind schreibgeschuetzte Versionen der Vergangenheit. Wenn ein Fehler versehentlich etwas loescht, kann ich den Speicher auf den Zustand von gestern "zuruecksetzen".
|
* **Unveraenderbare Snapshots:** Der Backup-Vault in Helsinki verwendet "Snapshots". Das sind schreibgeschuetzte Versionen der Vergangenheit. Wenn ein Fehler versehentlich etwas loescht, kann ich den Speicher auf den Zustand von gestern "zuruecksetzen".
|
||||||
|
|
||||||
## 4. Technologien, die ich verwende
|
## 4. Technologien, die ich verwende
|
||||||
|
|
||||||
Falls ihr neugierig seid, welche konkreten Tools ich zum Betrieb verwende, hier ist der Tech-Stack:
|
Falls ihr neugierig seid, welche konkreten Tools ich zum Betrieb verwende, hier ist der Tech-Stack:
|
||||||
|
|
||||||
* [**Nextcloud**](https://nextcloud.com/): Die zentrale Kollaborationsplattform fuer eure Dateien, Kontakte und Kalender.
|
* [**oCIS (ownCloud Infinite Scale)**](https://owncloud.dev/ocis/): Die zentrale Datei-Sync- und Share-Plattform fuer eure Dateien. Eine moderne, eigenstaendige Go-Anwendung.
|
||||||
|
|
||||||
* [**Kubernetes**](https://kubernetes.io/): Das "Gehirn", das meinen 3-Node-Cluster verwaltet und sicherstellt, dass die Apps weiterlaufen.
|
* [**Kubernetes**](https://kubernetes.io/): Das "Gehirn", das meinen 3-Node-Cluster verwaltet und sicherstellt, dass die Apps weiterlaufen.
|
||||||
|
|
||||||
* [**PostgreSQL**](https://www.postgresql.org/): Die Hochleistungs-Datenbank-Engine, die alle Kontoeinstellungen und Metadaten speichert.
|
|
||||||
|
|
||||||
* [**Hetzner**](https://www.hetzner.com/): Der deutsche Cloud-Anbieter, bei dem alle physischen Server stehen.
|
* [**Hetzner**](https://www.hetzner.com/): Der deutsche Cloud-Anbieter, bei dem alle physischen Server stehen.
|
||||||
|
|
||||||
* [**Object Storage (S3)**](https://www.hetzner.com/de/storage/object-storage/): Der spezielle Hochverfuegbarkeits-Speicherdienst fuer eure eigentlichen Dateien in Nuernberg und Backups in Falkenstein.
|
* [**Object Storage (S3)**](https://www.hetzner.com/de/storage/object-storage/): Der spezielle Hochverfuegbarkeits-Speicherdienst fuer eure eigentlichen Dateien in Nuernberg.
|
||||||
|
|
||||||
* [**Storage Box**](https://www.hetzner.com/storage/storage-box/): Der unabhaengige Speicher-Vault in Helsinki fuer die taeglichen Datei-Spiegelungen und Snapshots.
|
* [**Storage Box**](https://www.hetzner.com/storage/storage-box/): Der unabhaengige Speicher-Vault in Helsinki fuer die taeglichen Datei-Spiegelungen und Snapshots.
|
||||||
|
|
||||||
|
|
@ -58,10 +53,9 @@ Die folgende Tabelle zeigt die gesamten monatlichen Kosten fuer das komplette Se
|
||||||
| **Komponente** | **Beschreibung** | **Kosten (ca.)** |
|
| **Komponente** | **Beschreibung** | **Kosten (ca.)** |
|
||||||
| :--- | :--- | :--- |
|
| :--- | :--- | :--- |
|
||||||
| **Server (Nodes)** | 3x Cloud-Instanzen (**CAX11 ARM64**) | \~13,50 EUR |
|
| **Server (Nodes)** | 3x Cloud-Instanzen (**CAX11 ARM64**) | \~13,50 EUR |
|
||||||
| **PostgreSQL-Volumes** | Hochgeschwindigkeits-Blockspeicher fuer Datenbank-Replikation | \~2,00 EUR |
|
| **S3 Object Storage** | Primaerer Dateispeicher (NBG1) | \~7,72 EUR\* |
|
||||||
| **S3 Object Storage** | Primaerspeicher (NBG1) & DB-Backups (FSN1) | \~7,72 EUR\* |
|
|
||||||
| **Storage Box** | 1 TB Backup-Vault in Helsinki (BX11) | \~3,81 EUR |
|
| **Storage Box** | 1 TB Backup-Vault in Helsinki (BX11) | \~3,81 EUR |
|
||||||
| **GESAMT** | **Kombinierte Plattformkosten** | **\~27,03 EUR** |
|
| **GESAMT** | **Kombinierte Plattformkosten** | **\~25,03 EUR** |
|
||||||
|
|
||||||
*\*Der S3-Grundpreis beinhaltet das erste 1 TB Speicher und 1 TB Egress-Traffic. Bei Ueberschreitung gelten nutzungsbasierte Preise (ca. 7,74 EUR pro zusaetzlichem TB).*
|
*\*Der S3-Grundpreis beinhaltet das erste 1 TB Speicher und 1 TB Egress-Traffic. Bei Ueberschreitung gelten nutzungsbasierte Preise (ca. 7,74 EUR pro zusaetzlichem TB).*
|
||||||
|
|
||||||
|
|
@ -81,6 +75,6 @@ Die folgende Tabelle zeigt die gesamten monatlichen Kosten fuer das komplette Se
|
||||||
| :--- | :--- | :--- |
|
| :--- | :--- | :--- |
|
||||||
| **Ein einzelner Server faellt aus** | Nichts / Minimale Verzoegerung | Automatische Umleitung auf einen funktionierenden Server-Node. |
|
| **Ein einzelner Server faellt aus** | Nichts / Minimale Verzoegerung | Automatische Umleitung auf einen funktionierenden Server-Node. |
|
||||||
| **Ihr loescht versehentlich eine Datei** | Sie ist weg | Ich kann versuchen, sie aus dem 24h-Helsinki-Snapshot-Vault wiederherzustellen. |
|
| **Ihr loescht versehentlich eine Datei** | Sie ist weg | Ich kann versuchen, sie aus dem 24h-Helsinki-Snapshot-Vault wiederherzustellen. |
|
||||||
| **Groessere Rechenzentrums-Katastrophe** | Seite geht offline | Ich baue das Setup in einer neuen Region mithilfe der SQL-Dumps und Datei-Spiegelungen neu auf. |
|
| **Groessere Rechenzentrums-Katastrophe** | Seite geht offline | Ich baue das Setup in einer neuen Region mithilfe der S3-Daten und Datei-Spiegelungen neu auf. |
|
||||||
|
|
||||||
*Ich aktualisiere dieses Dokument, wenn ich die Hardware oder Backup-Routine aendere. Letzte Aktualisierung: April 2026.*
|
*Ich aktualisiere dieses Dokument, wenn ich die Hardware oder Backup-Routine aendere. Letzte Aktualisierung: April 2026.*
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,25 @@ features:
|
||||||
emailNotifications:
|
emailNotifications:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 64Mi
|
||||||
|
cpu: 10m
|
||||||
|
|
||||||
secretRefs:
|
secretRefs:
|
||||||
|
adminUserSecretRef: ocis-admin-user
|
||||||
|
idpSecretRef: ocis-idp-secrets
|
||||||
|
jwtSecretRef: ocis-jwt-secret
|
||||||
|
ldapSecretRef: ocis-ldap-bind-secrets
|
||||||
|
ldapCaRef: ocis-ldap-ca
|
||||||
|
ldapCertRef: ocis-ldap-cert
|
||||||
|
machineAuthApiKeySecretRef: ocis-machine-auth-api-key
|
||||||
|
storagesystemJwtSecretRef: ocis-storage-system-jwt-secret
|
||||||
|
storagesystemSecretRef: ocis-storage-system
|
||||||
|
thumbnailsSecretRef: ocis-thumbnails-transfer-secret
|
||||||
|
transferSecretSecretRef: ocis-transfer-secret
|
||||||
|
serviceAccountSecretRef: ocis-service-account-secret
|
||||||
|
collaborationWopiSecret: ocis-collaboration-wopi-secret
|
||||||
s3CredentialsSecretRef: ocis-s3-credentials
|
s3CredentialsSecretRef: ocis-s3-credentials
|
||||||
|
|
||||||
services:
|
services:
|
||||||
|
|
@ -51,6 +69,10 @@ services:
|
||||||
- ReadWriteOnce
|
- ReadWriteOnce
|
||||||
|
|
||||||
nats:
|
nats:
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 96Mi
|
||||||
|
cpu: 10m
|
||||||
persistence:
|
persistence:
|
||||||
enabled: true
|
enabled: true
|
||||||
storageClassName: local-path
|
storageClassName: local-path
|
||||||
|
|
@ -74,7 +96,16 @@ services:
|
||||||
accessModes:
|
accessModes:
|
||||||
- ReadWriteOnce
|
- ReadWriteOnce
|
||||||
|
|
||||||
|
proxy:
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 96Mi
|
||||||
|
cpu: 10m
|
||||||
thumbnails:
|
thumbnails:
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 96Mi
|
||||||
|
cpu: 10m
|
||||||
persistence:
|
persistence:
|
||||||
enabled: true
|
enabled: true
|
||||||
storageClassName: local-path
|
storageClassName: local-path
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,9 @@ kind: ServiceAccount
|
||||||
metadata:
|
metadata:
|
||||||
name: ocis-secret-init
|
name: ocis-secret-init
|
||||||
namespace: #@ ns
|
namespace: #@ ns
|
||||||
|
annotations:
|
||||||
|
argocd.argoproj.io/hook: PreSync
|
||||||
|
argocd.argoproj.io/sync-wave: "-2"
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
|
@ -15,6 +18,9 @@ kind: Role
|
||||||
metadata:
|
metadata:
|
||||||
name: ocis-secret-init
|
name: ocis-secret-init
|
||||||
namespace: #@ ns
|
namespace: #@ ns
|
||||||
|
annotations:
|
||||||
|
argocd.argoproj.io/hook: PreSync
|
||||||
|
argocd.argoproj.io/sync-wave: "-2"
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["secrets"]
|
resources: ["secrets"]
|
||||||
|
|
@ -26,6 +32,9 @@ kind: RoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: ocis-secret-init
|
name: ocis-secret-init
|
||||||
namespace: #@ ns
|
namespace: #@ ns
|
||||||
|
annotations:
|
||||||
|
argocd.argoproj.io/hook: PreSync
|
||||||
|
argocd.argoproj.io/sync-wave: "-2"
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: ocis-secret-init
|
name: ocis-secret-init
|
||||||
|
|
@ -42,6 +51,8 @@ metadata:
|
||||||
name: ocis-secret-init
|
name: ocis-secret-init
|
||||||
namespace: #@ ns
|
namespace: #@ ns
|
||||||
annotations:
|
annotations:
|
||||||
|
argocd.argoproj.io/hook: PreSync
|
||||||
|
argocd.argoproj.io/sync-wave: "-1"
|
||||||
argocd.argoproj.io/sync-options: Replace=true
|
argocd.argoproj.io/sync-options: Replace=true
|
||||||
spec:
|
spec:
|
||||||
ttlSecondsAfterFinished: 300
|
ttlSecondsAfterFinished: 300
|
||||||
|
|
@ -58,18 +69,107 @@ spec:
|
||||||
- |
|
- |
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
SECRET_NAME="ocis-s3-credentials"
|
apk add --no-cache openssl >/dev/null 2>&1
|
||||||
|
|
||||||
if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then
|
gen_random() {
|
||||||
echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}."
|
head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1"
|
||||||
echo "Please create it manually with keys 'accessKey' and 'secretKey':"
|
}
|
||||||
echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\"
|
|
||||||
echo " --from-literal=accessKey=<your-access-key> \\"
|
gen_uuid() {
|
||||||
echo " --from-literal=secretKey=<your-secret-key>"
|
cat /proc/sys/kernel/random/uuid
|
||||||
exit 1
|
}
|
||||||
else
|
|
||||||
echo "Secret ${SECRET_NAME} exists, OK"
|
create_secret_if_missing() {
|
||||||
|
local name="$1"
|
||||||
|
shift
|
||||||
|
if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||||
|
echo "Secret $name already exists, skipping"
|
||||||
|
return
|
||||||
fi
|
fi
|
||||||
|
kubectl create secret generic "$name" -n "${NAMESPACE}" "$@"
|
||||||
|
echo "Created secret $name"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Validate external secrets exist
|
||||||
|
if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||||
|
echo "ERROR: External secret ocis-s3-credentials must be created manually"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Admin user
|
||||||
|
create_secret_if_missing ocis-admin-user \
|
||||||
|
--from-literal=password="$(gen_random 32)" \
|
||||||
|
--from-literal=user-id="$(gen_uuid)"
|
||||||
|
|
||||||
|
# JWT secret
|
||||||
|
create_secret_if_missing ocis-jwt-secret \
|
||||||
|
--from-literal=jwt-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Machine auth API key
|
||||||
|
create_secret_if_missing ocis-machine-auth-api-key \
|
||||||
|
--from-literal=machine-auth-api-key="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Storage system JWT secret
|
||||||
|
create_secret_if_missing ocis-storage-system-jwt-secret \
|
||||||
|
--from-literal=storage-system-jwt-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Storage system secret
|
||||||
|
create_secret_if_missing ocis-storage-system \
|
||||||
|
--from-literal=api-key="$(gen_random 32)" \
|
||||||
|
--from-literal=user-id="$(gen_uuid)"
|
||||||
|
|
||||||
|
# Transfer secret
|
||||||
|
create_secret_if_missing ocis-transfer-secret \
|
||||||
|
--from-literal=transfer-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Thumbnails transfer secret
|
||||||
|
create_secret_if_missing ocis-thumbnails-transfer-secret \
|
||||||
|
--from-literal=thumbnails-transfer-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Service account secret
|
||||||
|
create_secret_if_missing ocis-service-account-secret \
|
||||||
|
--from-literal=service-account-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Collaboration WOPI secret
|
||||||
|
create_secret_if_missing ocis-collaboration-wopi-secret \
|
||||||
|
--from-literal=wopi-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# LDAP bind secrets (three passwords for different bind users)
|
||||||
|
create_secret_if_missing ocis-ldap-bind-secrets \
|
||||||
|
--from-literal=reva-ldap-bind-password="$(gen_random 32)" \
|
||||||
|
--from-literal=idp-ldap-bind-password="$(gen_random 32)" \
|
||||||
|
--from-literal=graph-ldap-bind-password="$(gen_random 32)"
|
||||||
|
|
||||||
|
# IDP secret (encryption key + RSA private key)
|
||||||
|
create_secret_if_missing ocis-idp-secrets \
|
||||||
|
--from-literal=encryption.key="$(gen_random 32)" \
|
||||||
|
--from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)"
|
||||||
|
|
||||||
|
# LDAP CA cert + key (self-signed)
|
||||||
|
if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||||
|
openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \
|
||||||
|
-days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null
|
||||||
|
kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \
|
||||||
|
--from-file=ldap-ca.crt=/tmp/ldap-ca.crt
|
||||||
|
echo "Created secret ocis-ldap-ca"
|
||||||
|
|
||||||
|
# LDAP server cert signed by the CA
|
||||||
|
printf "subjectAltName=DNS:idm" > /tmp/ldap-ext.cnf
|
||||||
|
openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \
|
||||||
|
-nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null
|
||||||
|
openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \
|
||||||
|
-CAcreateserial -out /tmp/ldap.crt -days 3650 \
|
||||||
|
-extfile /tmp/ldap-ext.cnf 2>/dev/null
|
||||||
|
kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \
|
||||||
|
--from-file=ldap.crt=/tmp/ldap.crt \
|
||||||
|
--from-file=ldap.key=/tmp/ldap.key
|
||||||
|
echo "Created secret ocis-ldap-cert"
|
||||||
|
rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl /tmp/ldap-ext.cnf
|
||||||
|
else
|
||||||
|
echo "Secret ocis-ldap-ca already exists, skipping LDAP certs"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "All secrets initialized successfully"
|
||||||
env:
|
env:
|
||||||
- name: NAMESPACE
|
- name: NAMESPACE
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
data:
|
data:
|
||||||
service-account-id: 46ec47ba-00e9-4114-950c-5743e5be4cee
|
service-account-id: 3ccdd552-d559-41f5-865c-2eb088c633e7
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
data:
|
data:
|
||||||
application-id: 1160b6ab-f9d7-464e-96a3-f2a3568ce67f
|
application-id: c0c2b8df-3962-4255-bf1b-f0c8f49bbe59
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
data:
|
data:
|
||||||
storage-uuid: e77de552-42dc-4d0d-ab83-2fdd35294451
|
storage-uuid: 2948ada8-ec5b-44d5-b91f-b5f7c96d23c3
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
|
|
|
||||||
|
|
@ -70,12 +70,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: OCIS_TRANSFER_SECRET
|
- name: OCIS_TRANSFER_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: transfer-secret
|
key: transfer-secret
|
||||||
name: transfer-secret
|
name: ocis-transfer-secret
|
||||||
- name: STORAGE_USERS_MOUNT_ID
|
- name: STORAGE_USERS_MOUNT_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
|
|
@ -90,7 +90,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
name: storage-users-clean-expired-uploads
|
name: storage-users-clean-expired-uploads
|
||||||
|
|
|
||||||
|
|
@ -51,12 +51,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: OCIS_TRANSFER_SECRET
|
- name: OCIS_TRANSFER_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: transfer-secret
|
key: transfer-secret
|
||||||
name: transfer-secret
|
name: ocis-transfer-secret
|
||||||
- name: STORAGE_USERS_MOUNT_ID
|
- name: STORAGE_USERS_MOUNT_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
|
|
@ -71,7 +71,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
name: storage-users-purge-expired-trash-bin-items
|
name: storage-users-purge-expired-trash-bin-items
|
||||||
|
|
|
||||||
|
|
@ -53,12 +53,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: OCIS_TRANSFER_SECRET
|
- name: OCIS_TRANSFER_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: transfer-secret
|
key: transfer-secret
|
||||||
name: transfer-secret
|
name: ocis-transfer-secret
|
||||||
- name: STORAGE_USERS_MOUNT_ID
|
- name: STORAGE_USERS_MOUNT_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
|
|
@ -73,7 +73,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
name: storage-users-restart-postprocessing
|
name: storage-users-restart-postprocessing
|
||||||
|
|
|
||||||
|
|
@ -79,12 +79,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
- name: ACTIVITYLOG_JWT_SECRET
|
- name: ACTIVITYLOG_JWT_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -101,7 +101,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9197
|
- containerPort: 9197
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -68,7 +68,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -85,7 +85,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9243
|
- containerPort: 9243
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -70,7 +70,10 @@ spec:
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 9229
|
- containerPort: 9229
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -66,12 +66,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: AUTH_MACHINE_API_KEY
|
- name: AUTH_MACHINE_API_KEY
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: machine-auth-api-key
|
key: machine-auth-api-key
|
||||||
name: machine-auth-api-key
|
name: ocis-machine-auth-api-key
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -88,7 +88,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9167
|
- containerPort: 9167
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -66,7 +66,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: AUTH_SERVICE_SERVICE_ACCOUNT_ID
|
- name: AUTH_SERVICE_SERVICE_ACCOUNT_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
|
|
@ -76,7 +76,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -93,7 +93,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9617
|
- containerPort: 9617
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -71,12 +71,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
- name: CLIENTLOG_JWT_SECRET
|
- name: CLIENTLOG_JWT_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -91,7 +91,10 @@ spec:
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 9260
|
- containerPort: 9260
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -76,7 +76,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9270
|
- containerPort: 9270
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -76,7 +76,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: FRONTEND_APP_HANDLER_INSECURE
|
- name: FRONTEND_APP_HANDLER_INSECURE
|
||||||
value: "false"
|
value: "false"
|
||||||
- name: FRONTEND_ARCHIVER_INSECURE
|
- name: FRONTEND_ARCHIVER_INSECURE
|
||||||
|
|
@ -103,7 +103,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: machine-auth-api-key
|
key: machine-auth-api-key
|
||||||
name: machine-auth-api-key
|
name: ocis-machine-auth-api-key
|
||||||
- name: FRONTEND_SERVICE_ACCOUNT_ID
|
- name: FRONTEND_SERVICE_ACCOUNT_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
|
|
@ -113,12 +113,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
- name: OCIS_TRANSFER_SECRET
|
- name: OCIS_TRANSFER_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: transfer-secret
|
key: transfer-secret
|
||||||
name: transfer-secret
|
name: ocis-transfer-secret
|
||||||
- name: FRONTEND_AUTO_ACCEPT_SHARES
|
- name: FRONTEND_AUTO_ACCEPT_SHARES
|
||||||
value: "true"
|
value: "true"
|
||||||
- name: FRONTEND_MAX_CONCURRENCY
|
- name: FRONTEND_MAX_CONCURRENCY
|
||||||
|
|
@ -153,7 +153,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9141
|
- containerPort: 9141
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -79,12 +79,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: OCIS_TRANSFER_SECRET
|
- name: OCIS_TRANSFER_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: transfer-secret
|
key: transfer-secret
|
||||||
name: transfer-secret
|
name: ocis-transfer-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -101,7 +101,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9143
|
- containerPort: 9143
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -84,7 +84,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: graph-ldap-bind-password
|
key: graph-ldap-bind-password
|
||||||
name: ldap-bind-secrets
|
name: ocis-ldap-bind-secrets
|
||||||
- name: OCIS_SHOW_USER_EMAIL_IN_RESULTS
|
- name: OCIS_SHOW_USER_EMAIL_IN_RESULTS
|
||||||
value: "false"
|
value: "false"
|
||||||
- name: GRAPH_APPLICATION_ID
|
- name: GRAPH_APPLICATION_ID
|
||||||
|
|
@ -96,7 +96,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: OCIS_DEFAULT_LANGUAGE
|
- name: OCIS_DEFAULT_LANGUAGE
|
||||||
value: en
|
value: en
|
||||||
- name: GRAPH_SERVICE_ACCOUNT_ID
|
- name: GRAPH_SERVICE_ACCOUNT_ID
|
||||||
|
|
@ -108,7 +108,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
- name: OCIS_ENABLE_OCM
|
- name: OCIS_ENABLE_OCM
|
||||||
value: "false"
|
value: "false"
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
|
|
@ -127,7 +127,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9124
|
- containerPort: 9124
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
@ -149,4 +152,4 @@ spec:
|
||||||
name: messaging-system-ca
|
name: messaging-system-ca
|
||||||
- name: ldap-ca
|
- name: ldap-ca
|
||||||
secret:
|
secret:
|
||||||
secretName: ldap-ca
|
secretName: ocis-ldap-ca
|
||||||
|
|
|
||||||
|
|
@ -70,14 +70,14 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: reva-ldap-bind-password
|
key: reva-ldap-bind-password
|
||||||
name: ldap-bind-secrets
|
name: ocis-ldap-bind-secrets
|
||||||
- name: GROUPS_IDP_URL
|
- name: GROUPS_IDP_URL
|
||||||
value: https://drive.tr1ceracop.de
|
value: https://drive.tr1ceracop.de
|
||||||
- name: GROUPS_JWT_SECRET
|
- name: GROUPS_JWT_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -94,7 +94,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9161
|
- containerPort: 9161
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
@ -115,4 +118,4 @@ spec:
|
||||||
name: tmp-volume
|
name: tmp-volume
|
||||||
- name: ldap-ca
|
- name: ldap-ca
|
||||||
secret:
|
secret:
|
||||||
secretName: ldap-ca
|
secretName: ocis-ldap-ca
|
||||||
|
|
|
||||||
|
|
@ -67,27 +67,27 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: password
|
key: password
|
||||||
name: admin-user
|
name: ocis-admin-user
|
||||||
- name: IDM_ADMIN_USER_ID
|
- name: IDM_ADMIN_USER_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: user-id
|
key: user-id
|
||||||
name: admin-user
|
name: ocis-admin-user
|
||||||
- name: IDM_SVC_PASSWORD
|
- name: IDM_SVC_PASSWORD
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: graph-ldap-bind-password
|
key: graph-ldap-bind-password
|
||||||
name: ldap-bind-secrets
|
name: ocis-ldap-bind-secrets
|
||||||
- name: IDM_REVASVC_PASSWORD
|
- name: IDM_REVASVC_PASSWORD
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: reva-ldap-bind-password
|
key: reva-ldap-bind-password
|
||||||
name: ldap-bind-secrets
|
name: ocis-ldap-bind-secrets
|
||||||
- name: IDM_IDPSVC_PASSWORD
|
- name: IDM_IDPSVC_PASSWORD
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: idp-ldap-bind-password
|
key: idp-ldap-bind-password
|
||||||
name: ldap-bind-secrets
|
name: ocis-ldap-bind-secrets
|
||||||
- name: IDM_LDAPS_CERT
|
- name: IDM_LDAPS_CERT
|
||||||
value: /etc/ocis/ldap-cert/ldap.crt
|
value: /etc/ocis/ldap-cert/ldap.crt
|
||||||
- name: IDM_LDAPS_KEY
|
- name: IDM_LDAPS_KEY
|
||||||
|
|
@ -108,7 +108,10 @@ spec:
|
||||||
name: ldaps
|
name: ldaps
|
||||||
- containerPort: 9239
|
- containerPort: 9239
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
@ -128,7 +131,10 @@ spec:
|
||||||
image: busybox:stable
|
image: busybox:stable
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
name: init-dir
|
name: init-dir
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
@ -144,7 +150,7 @@ spec:
|
||||||
volumes:
|
volumes:
|
||||||
- name: ldap-cert
|
- name: ldap-cert
|
||||||
secret:
|
secret:
|
||||||
secretName: ldap-cert
|
secretName: ocis-ldap-cert
|
||||||
- name: idm-data
|
- name: idm-data
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: idm-data
|
claimName: idm-data
|
||||||
|
|
|
||||||
|
|
@ -70,7 +70,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: idp-ldap-bind-password
|
key: idp-ldap-bind-password
|
||||||
name: ldap-bind-secrets
|
name: ocis-ldap-bind-secrets
|
||||||
- name: IDP_SIGNING_PRIVATE_KEY_FILES
|
- name: IDP_SIGNING_PRIVATE_KEY_FILES
|
||||||
value: /etc/ocis/idp/private-key.pem
|
value: /etc/ocis/idp/private-key.pem
|
||||||
- name: IDP_ENCRYPTION_SECRET_FILE
|
- name: IDP_ENCRYPTION_SECRET_FILE
|
||||||
|
|
@ -91,7 +91,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9134
|
- containerPort: 9134
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
@ -115,7 +118,7 @@ spec:
|
||||||
name: ocis-data-tmp
|
name: ocis-data-tmp
|
||||||
- name: ldap-ca
|
- name: ldap-ca
|
||||||
secret:
|
secret:
|
||||||
secretName: ldap-ca
|
secretName: ocis-ldap-ca
|
||||||
- name: idp-secrets
|
- name: idp-secrets
|
||||||
secret:
|
secret:
|
||||||
secretName: idp-secrets
|
secretName: ocis-idp-secrets
|
||||||
|
|
|
||||||
|
|
@ -65,7 +65,10 @@ spec:
|
||||||
name: nats
|
name: nats
|
||||||
- containerPort: 9234
|
- containerPort: 9234
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 96Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -74,12 +74,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: OCDAV_MACHINE_AUTH_API_KEY
|
- name: OCDAV_MACHINE_AUTH_API_KEY
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: machine-auth-api-key
|
key: machine-auth-api-key
|
||||||
name: machine-auth-api-key
|
name: ocis-machine-auth-api-key
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -96,7 +96,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9163
|
- containerPort: 9163
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -76,7 +76,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -93,7 +93,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9114
|
- containerPort: 9114
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -74,7 +74,10 @@ spec:
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 9255
|
- containerPort: 9255
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -82,12 +82,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: PROXY_MACHINE_AUTH_API_KEY
|
- name: PROXY_MACHINE_AUTH_API_KEY
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: machine-auth-api-key
|
key: machine-auth-api-key
|
||||||
name: machine-auth-api-key
|
name: ocis-machine-auth-api-key
|
||||||
- name: PROXY_SERVICE_ACCOUNT_ID
|
- name: PROXY_SERVICE_ACCOUNT_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
|
|
@ -97,7 +97,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
- name: PROXY_CSP_CONFIG_FILE_LOCATION
|
- name: PROXY_CSP_CONFIG_FILE_LOCATION
|
||||||
value: /etc/ocis/csp.yaml
|
value: /etc/ocis/csp.yaml
|
||||||
- name: PROXY_AUTOPROVISION_ACCOUNTS
|
- name: PROXY_AUTOPROVISION_ACCOUNTS
|
||||||
|
|
@ -118,7 +118,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9205
|
- containerPort: 9205
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 96Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -69,7 +69,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: SEARCH_SERVICE_ACCOUNT_ID
|
- name: SEARCH_SERVICE_ACCOUNT_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
|
|
@ -79,7 +79,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
- name: OCIS_ASYNC_UPLOADS
|
- name: OCIS_ASYNC_UPLOADS
|
||||||
value: "true"
|
value: "true"
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
|
|
@ -98,7 +98,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9224
|
- containerPort: 9224
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -80,12 +80,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: user-id
|
key: user-id
|
||||||
name: admin-user
|
name: ocis-admin-user
|
||||||
- name: SETTINGS_JWT_SECRET
|
- name: SETTINGS_JWT_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: SETTINGS_SERVICE_ACCOUNT_IDS
|
- name: SETTINGS_SERVICE_ACCOUNT_IDS
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
|
|
@ -95,12 +95,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: api-key
|
key: api-key
|
||||||
name: storage-system
|
name: ocis-storage-system
|
||||||
- name: OCIS_SYSTEM_USER_ID
|
- name: OCIS_SYSTEM_USER_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: user-id
|
key: user-id
|
||||||
name: storage-system
|
name: ocis-storage-system
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -119,7 +119,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9194
|
- containerPort: 9194
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -68,7 +68,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD
|
- name: SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD
|
||||||
value: "false"
|
value: "false"
|
||||||
- name: SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD
|
- name: SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD
|
||||||
|
|
@ -91,24 +91,24 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: api-key
|
key: api-key
|
||||||
name: storage-system
|
name: ocis-storage-system
|
||||||
- name: SHARING_USER_JSONCS3_SYSTEM_USER_ID
|
- name: SHARING_USER_JSONCS3_SYSTEM_USER_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: user-id
|
key: user-id
|
||||||
name: storage-system
|
name: ocis-storage-system
|
||||||
- name: SHARING_PUBLIC_DRIVER
|
- name: SHARING_PUBLIC_DRIVER
|
||||||
value: jsoncs3
|
value: jsoncs3
|
||||||
- name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY
|
- name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: api-key
|
key: api-key
|
||||||
name: storage-system
|
name: ocis-storage-system
|
||||||
- name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID
|
- name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: user-id
|
key: user-id
|
||||||
name: storage-system
|
name: ocis-storage-system
|
||||||
- name: SHARING_USER_JSONCS3_MAX_CONCURRENCY
|
- name: SHARING_USER_JSONCS3_MAX_CONCURRENCY
|
||||||
value: "20"
|
value: "20"
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
|
|
@ -127,7 +127,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9151
|
- containerPort: 9151
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -72,7 +72,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -89,7 +89,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9135
|
- containerPort: 9135
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -70,7 +70,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -87,7 +87,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9179
|
- containerPort: 9179
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -66,7 +66,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -83,7 +83,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9156
|
- containerPort: 9156
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -78,17 +78,17 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: storage-system-jwt-secret
|
key: storage-system-jwt-secret
|
||||||
name: storage-system-jwt-secret
|
name: ocis-storage-system-jwt-secret
|
||||||
- name: OCIS_SYSTEM_USER_API_KEY
|
- name: OCIS_SYSTEM_USER_API_KEY
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: api-key
|
key: api-key
|
||||||
name: storage-system
|
name: ocis-storage-system
|
||||||
- name: OCIS_SYSTEM_USER_ID
|
- name: OCIS_SYSTEM_USER_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: user-id
|
key: user-id
|
||||||
name: storage-system
|
name: ocis-storage-system
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -107,7 +107,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9217
|
- containerPort: 9217
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -125,7 +125,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
- name: STORAGE_USERS_STAT_CACHE_STORE
|
- name: STORAGE_USERS_STAT_CACHE_STORE
|
||||||
value: noop
|
value: noop
|
||||||
- name: STORAGE_USERS_MOUNT_ID
|
- name: STORAGE_USERS_MOUNT_ID
|
||||||
|
|
@ -137,12 +137,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: OCIS_TRANSFER_SECRET
|
- name: OCIS_TRANSFER_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: transfer-secret
|
key: transfer-secret
|
||||||
name: transfer-secret
|
name: ocis-transfer-secret
|
||||||
- name: OCIS_ASYNC_UPLOADS
|
- name: OCIS_ASYNC_UPLOADS
|
||||||
value: "true"
|
value: "true"
|
||||||
- name: STORAGE_USERS_EVENTS_NUM_CONSUMERS
|
- name: STORAGE_USERS_EVENTS_NUM_CONSUMERS
|
||||||
|
|
@ -167,7 +167,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9159
|
- containerPort: 9159
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -84,7 +84,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: thumbnails-transfer-secret
|
key: thumbnails-transfer-secret
|
||||||
name: thumbnails-transfer-secret
|
name: ocis-thumbnails-transfer-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -103,7 +103,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9189
|
- containerPort: 9189
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 96Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -73,12 +73,12 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: service-account-secret
|
key: service-account-secret
|
||||||
name: service-account-secret
|
name: ocis-service-account-secret
|
||||||
- name: USERLOG_JWT_SECRET
|
- name: USERLOG_JWT_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
- name: USERLOG_MAX_CONCURRENCY
|
- name: USERLOG_MAX_CONCURRENCY
|
||||||
value: "1"
|
value: "1"
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
|
|
@ -97,7 +97,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9210
|
- containerPort: 9210
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -70,14 +70,14 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: reva-ldap-bind-password
|
key: reva-ldap-bind-password
|
||||||
name: ldap-bind-secrets
|
name: ocis-ldap-bind-secrets
|
||||||
- name: USERS_IDP_URL
|
- name: USERS_IDP_URL
|
||||||
value: https://drive.tr1ceracop.de
|
value: https://drive.tr1ceracop.de
|
||||||
- name: USERS_JWT_SECRET
|
- name: USERS_JWT_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -94,7 +94,10 @@ spec:
|
||||||
name: grpc
|
name: grpc
|
||||||
- containerPort: 9145
|
- containerPort: 9145
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
@ -115,4 +118,4 @@ spec:
|
||||||
name: tmp-volume
|
name: tmp-volume
|
||||||
- name: ldap-ca
|
- name: ldap-ca
|
||||||
secret:
|
secret:
|
||||||
secretName: ldap-ca
|
secretName: ocis-ldap-ca
|
||||||
|
|
|
||||||
|
|
@ -88,7 +88,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: jwt-secret
|
key: jwt-secret
|
||||||
name: jwt-secret
|
name: ocis-jwt-secret
|
||||||
image: owncloud/ocis:7.1.4
|
image: owncloud/ocis:7.1.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
|
@ -105,7 +105,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9104
|
- containerPort: 9104
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -82,7 +82,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 9119
|
- containerPort: 9119
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -86,7 +86,10 @@ spec:
|
||||||
name: http
|
name: http
|
||||||
- containerPort: 8081
|
- containerPort: 8081
|
||||||
name: metrics-debug
|
name: metrics-debug
|
||||||
resources: {}
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,9 @@ kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||||
|
argocd.argoproj.io/hook: PreSync
|
||||||
argocd.argoproj.io/sync-options: Replace=true
|
argocd.argoproj.io/sync-options: Replace=true
|
||||||
|
argocd.argoproj.io/sync-wave: "-1"
|
||||||
name: ocis-secret-init
|
name: ocis-secret-init
|
||||||
namespace: ocis
|
namespace: ocis
|
||||||
spec:
|
spec:
|
||||||
|
|
@ -16,18 +18,107 @@ spec:
|
||||||
- |
|
- |
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
SECRET_NAME="ocis-s3-credentials"
|
apk add --no-cache openssl >/dev/null 2>&1
|
||||||
|
|
||||||
if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then
|
gen_random() {
|
||||||
echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}."
|
head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c "$1"
|
||||||
echo "Please create it manually with keys 'accessKey' and 'secretKey':"
|
}
|
||||||
echo " kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\"
|
|
||||||
echo " --from-literal=accessKey=<your-access-key> \\"
|
gen_uuid() {
|
||||||
echo " --from-literal=secretKey=<your-secret-key>"
|
cat /proc/sys/kernel/random/uuid
|
||||||
exit 1
|
}
|
||||||
else
|
|
||||||
echo "Secret ${SECRET_NAME} exists, OK"
|
create_secret_if_missing() {
|
||||||
|
local name="$1"
|
||||||
|
shift
|
||||||
|
if kubectl get secret "$name" -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||||
|
echo "Secret $name already exists, skipping"
|
||||||
|
return
|
||||||
fi
|
fi
|
||||||
|
kubectl create secret generic "$name" -n "${NAMESPACE}" "$@"
|
||||||
|
echo "Created secret $name"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Validate external secrets exist
|
||||||
|
if ! kubectl get secret ocis-s3-credentials -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||||
|
echo "ERROR: External secret ocis-s3-credentials must be created manually"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Admin user
|
||||||
|
create_secret_if_missing ocis-admin-user \
|
||||||
|
--from-literal=password="$(gen_random 32)" \
|
||||||
|
--from-literal=user-id="$(gen_uuid)"
|
||||||
|
|
||||||
|
# JWT secret
|
||||||
|
create_secret_if_missing ocis-jwt-secret \
|
||||||
|
--from-literal=jwt-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Machine auth API key
|
||||||
|
create_secret_if_missing ocis-machine-auth-api-key \
|
||||||
|
--from-literal=machine-auth-api-key="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Storage system JWT secret
|
||||||
|
create_secret_if_missing ocis-storage-system-jwt-secret \
|
||||||
|
--from-literal=storage-system-jwt-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Storage system secret
|
||||||
|
create_secret_if_missing ocis-storage-system \
|
||||||
|
--from-literal=api-key="$(gen_random 32)" \
|
||||||
|
--from-literal=user-id="$(gen_uuid)"
|
||||||
|
|
||||||
|
# Transfer secret
|
||||||
|
create_secret_if_missing ocis-transfer-secret \
|
||||||
|
--from-literal=transfer-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Thumbnails transfer secret
|
||||||
|
create_secret_if_missing ocis-thumbnails-transfer-secret \
|
||||||
|
--from-literal=thumbnails-transfer-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Service account secret
|
||||||
|
create_secret_if_missing ocis-service-account-secret \
|
||||||
|
--from-literal=service-account-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# Collaboration WOPI secret
|
||||||
|
create_secret_if_missing ocis-collaboration-wopi-secret \
|
||||||
|
--from-literal=wopi-secret="$(gen_random 32)"
|
||||||
|
|
||||||
|
# LDAP bind secrets (three passwords for different bind users)
|
||||||
|
create_secret_if_missing ocis-ldap-bind-secrets \
|
||||||
|
--from-literal=reva-ldap-bind-password="$(gen_random 32)" \
|
||||||
|
--from-literal=idp-ldap-bind-password="$(gen_random 32)" \
|
||||||
|
--from-literal=graph-ldap-bind-password="$(gen_random 32)"
|
||||||
|
|
||||||
|
# IDP secret (encryption key + RSA private key)
|
||||||
|
create_secret_if_missing ocis-idp-secrets \
|
||||||
|
--from-literal=encryption.key="$(gen_random 32)" \
|
||||||
|
--from-literal=private-key.pem="$(openssl genrsa 4096 2>/dev/null)"
|
||||||
|
|
||||||
|
# LDAP CA cert + key (self-signed)
|
||||||
|
if ! kubectl get secret ocis-ldap-ca -n "${NAMESPACE}" >/dev/null 2>&1; then
|
||||||
|
openssl req -x509 -newkey rsa:2048 -keyout /tmp/ldap-ca.key -out /tmp/ldap-ca.crt \
|
||||||
|
-days 3650 -nodes -subj "/CN=ldap-ca" 2>/dev/null
|
||||||
|
kubectl create secret generic ocis-ldap-ca -n "${NAMESPACE}" \
|
||||||
|
--from-file=ldap-ca.crt=/tmp/ldap-ca.crt
|
||||||
|
echo "Created secret ocis-ldap-ca"
|
||||||
|
|
||||||
|
# LDAP server cert signed by the CA
|
||||||
|
printf "subjectAltName=DNS:idm" > /tmp/ldap-ext.cnf
|
||||||
|
openssl req -newkey rsa:2048 -keyout /tmp/ldap.key -out /tmp/ldap.csr \
|
||||||
|
-nodes -subj "/CN=idm" -addext "subjectAltName=DNS:idm" 2>/dev/null
|
||||||
|
openssl x509 -req -in /tmp/ldap.csr -CA /tmp/ldap-ca.crt -CAkey /tmp/ldap-ca.key \
|
||||||
|
-CAcreateserial -out /tmp/ldap.crt -days 3650 \
|
||||||
|
-extfile /tmp/ldap-ext.cnf 2>/dev/null
|
||||||
|
kubectl create secret generic ocis-ldap-cert -n "${NAMESPACE}" \
|
||||||
|
--from-file=ldap.crt=/tmp/ldap.crt \
|
||||||
|
--from-file=ldap.key=/tmp/ldap.key
|
||||||
|
echo "Created secret ocis-ldap-cert"
|
||||||
|
rm -f /tmp/ldap-ca.key /tmp/ldap-ca.crt /tmp/ldap.key /tmp/ldap.crt /tmp/ldap.csr /tmp/ldap-ca.srl /tmp/ldap-ext.cnf
|
||||||
|
else
|
||||||
|
echo "Secret ocis-ldap-ca already exists, skipping LDAP certs"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "All secrets initialized successfully"
|
||||||
env:
|
env:
|
||||||
- name: NAMESPACE
|
- name: NAMESPACE
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,8 @@ kind: Role
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||||
|
argocd.argoproj.io/hook: PreSync
|
||||||
|
argocd.argoproj.io/sync-wave: "-2"
|
||||||
name: ocis-secret-init
|
name: ocis-secret-init
|
||||||
namespace: ocis
|
namespace: ocis
|
||||||
rules:
|
rules:
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,8 @@ kind: RoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||||
|
argocd.argoproj.io/hook: PreSync
|
||||||
|
argocd.argoproj.io/sync-wave: "-2"
|
||||||
name: ocis-secret-init
|
name: ocis-secret-init
|
||||||
namespace: ocis
|
namespace: ocis
|
||||||
roleRef:
|
roleRef:
|
||||||
|
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
password: YlpRdWlYYVdXZXhJRzI3cE5BMzR6RWVMajFLVzBr
|
|
||||||
user-id: NzE4ZTlmOTEtNmU3ZS00ZDMwLWE0MjktODcxMmQ4NDU1ODZl
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: admin-user
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
wopi-secret: T1FDSW0wNmZ3bWJldFpta0JwU29td2FRU3lkMk4x
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: collaboration-wopi-secret
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
encryption.key: LktHOEQ0U1JpTmEofERhYi9EMjBKbWEzYDRmJkVaJlg=
|
|
||||||
private-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBdm5BTUxGMW1JUzd3M0pETEhPeCtMUjY5U2hCSUxReXorQXFkN0d1TUNlcytzKzFlCkVORHVQRW85VE5iZVJHdzBtbjVWMU9iY2lPSG1CaFlSMjh6UHl4RFhmZUhuWVFpczl0cFFUQ3hhNmJPTDcwOFIKd2JDdkM3eW53QURQU05kRUFUbFNDR3NBbTZJaHpOZUhOc3ZUVlZCVU03NDhWd3lmT1F2MU1lQnN2MDlDOWxIVAovb2xpU1RQbkhIeEZXUFVZOHJ0QTEvRzM2cnJCaGtLYkhKWnd2S242Vi9jdXNnbDVZMHQzNmdCMEYyMlkrd0ppCjU3ejZEdGQ1SWo0VEtSNWVEN1dGM0ZsamYrWElGQVNPVFRJUEtUcWRQZTQ5TFcvaWxwMVlnZXdQTnBiSWwrTy8KZ3pwQ0o1ZUlzMlhIYmVnRFRVRTZTU1FrenVWUUlCY2luY2dicTA1MzJnVmpkRklVdEptaTg4elg0US9sNkZuZQptZDVGV2diY29KYjg0YXk3VmZ2NjNLMHpqcXlxK2taU0Roay91eW1wM3NxY3ZqU1BkOW01Vk1VYnFSUUw5cUpyCnczUVBhRlNKdlFvMjQyTG5WZE1TakRJVEgwZUtJdExLNkwxQW9KVW8zRFlpb3U4V0ExOUZGS2NHVE5MeHhONzEKRGk5dmQ0Q1BYR2pvRjQyTFFHVFVFY2hDRDRBZzRaZHVqZUVmb0ZTWEhXQmtHM0M4SjJJODFqeDdSTXdNMVFXdAphWjVRMmVTb2xyWHVJTFpnQTc4SWZmc2NYRGZQK0NOQ1l3RTI2dWUxVnFDd2FnMUxEV0UyWFY0ZFdQWUpuQnR6CndwN0p2aGR2MHpBeUprVGhLYVloUlgvVFljTDF0djV3VnZvSnZtTDV6UXBNeTBsWnZscFFtSDlEaHNNQ0F3RUEKQVFLQ0FnQmJJUUVpUmJ0Mmk2RGsyMERtNFdCcnRQYjl0eGJpdjk1ckJxR1ZuYzFRZmNydWpOcmpqeWRCb0lELwpBUjh4Zk5vYlIvTkl3d1NyVi9ZYjJYbklSWlQxNW1SSUw4N3FCeDNGcnFpWUd1MlNRY0huelYyQTQweVFnRUdCCnhxRnFpT0JZK1pZQXd6dHlQajZRYUY2aTRSeUxDYnFSWENwQnVaK0R5KzRVWlFHRTlxZmplVHJKNWZJcmQzUFQKbE1BV2xvck90TDZOMTNTY0Zhdy8xQ1dubzNIbFJpMnU1SERxNzArd0xVLy9vU0hzaUJ5Wm1RVzlRUmdqL0FaUwpWWVFUdkIxa3hRZCtieVFHOHUwd2J4R3RiUlFHTmE5REVIc2tBQk5jNFlTVi8yRTBUU2xHVGN5NlBpbWtDb1oyCjJuQjVibm9PQVBXa1JIQjh0UTBIbmlxSmVGV01hN2UzRW1BZ2UzYzM0Y0VXSVZkKzcxcUNoQlFGVG0ySWlTVE8KU3NKUXZKVHM3QTJ6SnZTRmJDSWpKTUZ3VzZaWGVBR3ZlSHp2d3NEdnNmTjRiS3BFVVpjVkorUTFDWlRKKzRQYwo0RU15ZnJBN2ozcXpld0liRFFuNWlKMFFEd2d0SHNQVURaenNncWIvcUQyWiswNEdDY2xGWXY3cDBiWnZQU2FjCmxXaGdzeUcrZWl5Y1BPaHVSdjV2N3VSYWlJZjVQUUxkNVBONWczdkhGeThRdjlYSXBlSUp1V1F4VXAyVlJCVEMKOEpOK1Ria2FsdXhKYlRnSzRTRzhGV1JnTVBYTlRheWRiOXlhUTZERkR2NkFFTTBUYmtvNUlVZ1R0MWtNdDFNagpOK1JJOXdjWW9aRWVJNUdhRDlwWlNLOUE2eDRDNGhuUUJRYUpjSW55WUxGcUJlYjE0UUtDQVFFQTVNZ2ppRFZpClQxczJFVlJLOFBEV2xZRE5MZEV6Q01lRzJ3d3dkVXoxekpTL05haWhyZXVLd21jNS9kdGpVWmQ0NXh4MHNHRlAKOURNTTJNdjNFT3RHWEVLcWwxRGo1ekxwYmFLTTdGZGdSYk0rUjJaVjU5OVczbytxZC9raTJRazRVVVJ6MFJBeAp6S0o5NGt3WjQwdTZZb0dHUHBtMjNuVTZtNzM4dWFXN29GNXVXL3RXRDN1QnRoM2YwRFQ1MDNPNEhEWFlpbncvCnd1RE1HUmpDTlhVYlJXRzk4cnhwU29IQUpnTjRCbituSTlHaUNmNWwwUUFGMHMxSXlyZWpQOGJwYWlJcUZUTGUKUEtyMEFUM3JTSXk5dGhtOEVxOWUwcEllWDRkR2FVbnA4TW44M3ozYkZUZmJ6U1RKbi9VdHNUNkdIc3Q1YnRlSAptZmplb0gvQ282Z0tjUUtDQVFFQTFSZ1dOU2Y1UjdJK0lHYVAwK1hNUXNzSHpmeFVhQWo2M01DeU9RdDFFRnNsCmZSb21JSkNHTVBub0EyWlhGWHBHa1RPaVF6VUZTMFR0NmlhczZJeU40cExSdUpEY3BWd2kwaDhQZncyV0RaMUgKUnV2M0tOZnNrQlpQT1lpelVlSnQzWkhDUkJHMjVCTFdGbldlWUY1Z1VlWHJ6V2Z1RU1vcWxGVDBsZmgxWWZuVQpVQTFDUkxOTHV3anpRT2lTeCtvY2NHanpkOTFuMnNhSEw4a05tSVo0K0p3d0RKMmloUXAwYWZoTSs2dWtLayt2Cjd0dm52dDZWWXhaUXNkMnlYWlJjbUF4V0tnWVlpeE9JNUVGdU9wVTdwRU5lLzF5V3pndzJaNGRLbTRBWDNKM0UKOGp4bks0em9CdCthYXBVYlJnc2d3WWJCWkpEREF0RkhlUEFhSFVNMmN3S0NBUUF0cjJXaENvQUNOc1dhT2tubwp5VDhnaGFMelZrWXBwNlpmVVpUUHA3bWh5OFpQRWNpUGNXeTVHMkh5Tm9BangrcWx4QUh0UXRGemcwbzZkS2gyCm9YVGdjWk9kT2RMNDFTclY4TkxSVXpWdlZiYkhEVUYwVng0Q3ZZK2QrNHNnNmYxc0JRNVhuak5EbU9Nb2NHZnYKQXExS2hIRHBTVXJDSzRpemx3SERsTHZkNzExOFVybEJ5RGtEdy8xd2wxT1lEUkNqMllEUFRyWncxUEVNeGV2cQpQdU5lUElGdzJuendHdTdpNkdoc2E4dFZsTVFWMk00K0tSSUFvV3U2eDJiN0VsNkVDaVI3TFRoQnh5V0lwZk80Ci9obllKbFZ2S2NQMnFxVVVFSEJZRUNGK0t1ZXJNSy95RWNCN3U2L2ptRk15aExqRnAzNHRTeTdSNldlVGgwKzMKM0pPUkFvSUJBUUNFYitybGNJbWFTS29hQXdRaXd2QlhGczRyOUVZVlBuZURHWFBxeGpja1NqR2JkZFA2YXpncgpXalliWHRDQ3RiTUQ3VjVNZkxoa2xsdHpLa1JPWjRTTEs0cVNOZDRjRzQ0OG56ZEhWSTlNdU5JaXZ1YW1pTVFxCnJPTGlOQmFXcnE1dmhYYUNUYXdvUlppdTdyelcwZkQxRlh1ZTlwZmI4WG5USkpXNlcyZkEwNzlqWFVveFhtbVQKdmJWSlF3SnVvdzYzd2xLR3phRU5ORk95bkRjSjg1RmRtZHkzQ29XR1FBQW9HRHpvTVQzZldoVlMwM05OaWhLNApPWmMvWkRURnVqNXQ5VVRiNjF2M205VjVYeno5eGVBQ2NDaXJkc1QzSEZuM3IvcnJlQW5jZ0dWMTA1cWZVM3lsClFQVThocDBqeENqQWZsclZnSzdpb21UVVFnMUk0SXdIQW9JQkFGd3JGVFRtbk14dCt4RitHUmRVbTMwVXBYMGsKVVlpOENLV0llZ3ErR1ViOW1hU0o4LytEYmJRRDZwdks3Zmw2S0swOXR0WjNabGN0M050dnd1cnR2TWw5eDRtRgo3Q2RFRkp3RWhoSmdyTVdhMUJzc25LYndibGVNRUR2T0xOc2piS1V4UlRNaWFEdHA5RXBKNkV6dmxFZU1YOEZyCno0aXRwTXpoZW5uWlNwWU9FS0JsVVJhSGFERVdZTDdGblhIc1BNakZNaGRHdmJROUFLTUk5N1RtazNvNG9Ld1gKQmluNm1FQStaM3NFd1ljYk1tNHFDbTZ2NUMrVW90WWN0SjFOMGFldXRMWkhDZnlia0RBWkVTaTlITkNua2h5UQp2M3RqY3NVQmVRWk0rUFRMK3dJVGd4TEF6Q0lMT0d6Y1YzZFRXK3d6SzE4aUhaTXNxeHROOWF4ajBvND0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: idp-secrets
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
jwt-secret: eWU2dHdSTjlYM3R0SkZhT0lFdnFpWHJzclRaMDND
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: jwt-secret
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
graph-ldap-bind-password: b09yM2dZZDE0VFlEUWlBOEJZWDlGY2FlZFBXUWhG
|
|
||||||
idp-ldap-bind-password: a3lYWWtER3FlSlhLcXpQb25uYTRySDU3SGh0WHFO
|
|
||||||
reva-ldap-bind-password: SGoybVlLSFZVaDRKZkhxMkxlcmJJam9pOWVUT0p4
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: ldap-bind-secrets
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
ldap-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREekNDQWZlZ0F3SUJBZ0lRWTZUaXZOUjZhQ3JmV1l5OWtVTjVCakFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TkRFNE1UWXhOMW9YRFRJM01EUXdOREU0TVRZeApOMW93RWpFUU1BNEdBMVVFQXhNSGJHUmhjQzFqWVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUxPNC95N3NyRGFYVUg2ZjJRN2I3UmZKd2Rvb2JuL1dDMGhqaEFLOVpacXdFUjB6ZUtvTWY3NHMKendMc3BhSm1sYjZCV3ZzWDh2Z3BJOXhJcUoxcVdBWVNlRCtKa0xVT3B0UER0R0R5U3RTVWlDb2xuUWZPZGxzQQp4K2FhOGNqU3A4OHQ2RmFOR3ZxNGxIMXljdnRSektRaTJHNkQrOUpFcDdDOVFPOWg4bFJaSkFMODJ1bHR6T3B5ClVWTUR4OWxQR2NmWEFhZklUTUxPQ1o1c0xVWmNMeU9aRlVWbnROS3NBT0Fqc1greWltUnc1NVZSMEczSWcrMFIKMWpaSVZmVFA2OTZqcWFPN3BuU1pNdlBSUkk1OFB0S0x1bU9oT0RxZHhsUEtEWU5LYUZ3TmlwNmJZUGd5Y2x3Tgo5dzlodkdUZ2t3dzZPSFdRenp3akw0Y0tWOCt6RnhjQ0F3RUFBYU5oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0trCk1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC8KTUIwR0ExVWREZ1FXQkJTZlR0cEp2R1V4UjZhbXdxZllkem1EU0U0bnRUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBYkdvZVJaTk9IWDlZWWpWZ3JaZjRDZ0txMlhkb0VkcEVETEdyNGwyZ1c3Z0xHdjd1ZmFpa0ltODhLRHNjClFrbjlLdmhwYU1EdHloajN3NnZNdHQ4T3R2MjRIc2dibFo1SUtFREN1aU50ajVvUXhoWHY5WEMwM3AxUkFwU0oKY3BRbElnNEtWbE5TWUVHcmYwUTI1aVNYL1NjbnJXWHJUK1luR2pOM0xXdEo3UElNb214b3lWMnpjdFdTVVp4NQpsOXpsYnMwRTNZV0RCWFdXRXkrOThPTitWeFlQSTZSQS9HbHIyUnJTY2M2RHdZMWhPMFpoY0Jnd0lwcXEzbmlhCjVBbWdCY3JNcTB5R0NISVR1UUpUc0pzU3RhWGN3ZURYWTNUa2ZucW5FN0p5TCtONVFlc0gwakdIeEZ0aTFTRlUKdWRsNmFYbFFDVVo0T0ZYeE1VSkp3cGNTRlE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: ldap-ca
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
ldap.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lRVnJvZnVmVWRSR0JBeXVacEQrMTRsREFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TkRFNE1UWXhOMW9YRFRJM01EUXdOREU0TVRZeApOMW93RGpFTU1Bb0dBMVVFQXhNRGFXUnRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUExOUdMWjBEQW5UMGF5OGpCM0tCS1ZzVDVnVVhGNFpvNGZ5aXZmODJqTlVMQXhWa0I5OWFQMWJiby8wNXMKVjk4Ylk2UjNuMHhqVENxTGRkbXhwdjlwdi9rcVlRb1ZCMnpKZ0NWWVFLK2NvK0dNTGpoUnpBV1FHaG1Lb0RwNwpKb2VBeHVzK0xBbWVyM2ZiWFNpeG4vd3FUaUNrd3QxcHk4cVUyRVc2QnNKRUJJNlovZlZiMWhrQ2oybjJVVE9xCmM4RUdyLzdzTXhoUGdOaE5BQW9NVnFUMCt2Nmk3dWdDRVVtYm0xb3RHTm9NVjZCOVJXbWFBdHZlRlVLSytaYkgKMEVUZHVTRXZYWE40VitsYkMzQlFoWUI4UTFMYjROdlNTaXhudFRRb2R0ZWRiMXdDQlpBeWRkSVNoWkxJZVdMbApOOUxkYWZDTVppQUtuaUxXM251VDRiWlRkUUlEQVFBQm8zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEClZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGoKQkJnd0ZvQVVuMDdhU2J4bE1VZW1wc0tuMkhjNWcwaE9KN1V3RGdZRFZSMFJCQWN3QllJRGFXUnRNQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFCVHFlaTJXay9VUTl3aEtBbytmcm5NYTBLeURUVFpWTklPMDhHRi9rNWt3MmlXCmZlWGdtakJtTHA2N2NWdEN6MjBsN2REWTBrUHVnNUtTbW5aWHA5VE5tSUVOMDlnOHoyT3Z0eGpHV1hPM2RpUm8KSS83TmNpQWpUbmYyKzIxeXRlazRSUUlucWIzWjZyczg4aVhMeUlKQ2JPdEVyNGRyQTJibjdINk04a29OZ2JLbwpJb014bzlBOEFpdzVrRElzZkNxYXg2NWFJcnNhUy8wbGZ5NTBITHRTU1VaSWs4TFFtM0FtQmVmRnBCVUdHVi9RCnBNSUFlYkVzbmNLKy9lY052dVZDTGNLVFIrWE05Q1JCd3NZQzlBc0tNdGFtTFdlMHp6aDV1SUIzTDg2Y1FOTnQKZ2JkNC9YVENpV2xWVGtDNTZEbjFDWlRzRHUzdHYvaSswMVpqcnlTeQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
|
||||||
ldap.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMTlHTFowREFuVDBheThqQjNLQktWc1Q1Z1VYRjRabzRmeWl2Zjgyak5VTEF4VmtCCjk5YVAxYmJvLzA1c1Y5OGJZNlIzbjB4alRDcUxkZG14cHY5cHYva3FZUW9WQjJ6SmdDVllRSytjbytHTUxqaFIKekFXUUdobUtvRHA3Sm9lQXh1cytMQW1lcjNmYlhTaXhuL3dxVGlDa3d0MXB5OHFVMkVXNkJzSkVCSTZaL2ZWYgoxaGtDajJuMlVUT3FjOEVHci83c014aFBnTmhOQUFvTVZxVDArdjZpN3VnQ0VVbWJtMW90R05vTVY2QjlSV21hCkF0dmVGVUtLK1piSDBFVGR1U0V2WFhONFYrbGJDM0JRaFlCOFExTGI0TnZTU2l4bnRUUW9kdGVkYjF3Q0JaQXkKZGRJU2haTEllV0xsTjlMZGFmQ01aaUFLbmlMVzNudVQ0YlpUZFFJREFRQUJBb0lCQUEvMXB2c0c3VGVBVHVMNQpaelkrVVEzUC8vYWtJS1lERm1EZHN2WlNIUTRFMW4vQmloSWVuV2VPNE1KenRXWER1RlJrYlMzRnZTVkprMWFWClVRa1FjSi93RWVDZVpqKzB0dmhYeXFPOThta01FQXp1SnQ1ZDZ2SWN3V3ViR3Jhd1MxcHFiam5EZGZQYVI1YU4Kb0tIVnJ5czByc2RBcUdDWURDQXJ4OWVJSEkrTXhoa2pvZlVaeW5EdnZ6ZFRwekR4eVRjT0FMTmQ4b3RqZVR4VApLam5QZjRhQm9WVlJmQ25zeDN4dEdONnhQTUJ4K2Z6Ynp0OCtwaDZyOVRHeFZ0VkRUK1E4ajlpV0RCME11WDBGCkZCVE40MDNJN0h6VXpaamxVbDdPYXFtR3dGMDBkY2o1UVNtenA4NTFTdjltamRidWI4b0xhMVJWYVpndUNTaGwKNkF2ZW9HRUNnWUVBOFlabDBJVk4yNVJsdGQzRnZiK2dYcXVHTjdZSDZLTkdMeThnYlVNOHd3RlU1QXRDaHdpNApJUTcrWkVhaDBtZC9ROWNJN1p3RWx3N2cxTWZremJEZHBrS205bExEQXhtRlhoS08xVXlRcnlObjQ1UHUrSDhWCmt3UHd1UUFMWldrZHF5V09ub2xtM21kMlh6b3BKcDN3TG8vNGRhR3d3SFp6c2paamxBNkpmK2NDZ1lFQTVNQysKdGJROWh1NTZKTnpzV3RiUDZlVlRoK0JGN1MwSlN6WkV6bnJ1MS94NXY3U1hTYi9WbTk1WjBIc2tHVG5QaVowNwpTZ2hRUm1mamFMdHpKMVFITC9iMTZIcXpRSmh3MDg0YlVSNUxhVWt4S3VBVm9OM0lPaVhGRnlYQm81TGduekFDClpRZWh6bFV6SjFSeEZGbFh1S0ZDR0UwNlBRTmNsYWMycDcva0ZrTUNnWUVBalBUSzV1OWxpUWtLY3lHRERrS1AKN2JCZEhKWjM5eVdUQ0dhUW5qUG5la2VFcTdLR21SaFZuYldLY2l0bXRjMEJVUzVtWDRYMmg5Si9GSyswc1BiUAo1UUJ4UU1EOFh3cTk4ekVSZXhxOE5mcUwzeDJ2RWdmWkozdmRPWnIxQzdKVlJsVWM3eGx4bDhyNklvbG5Dc3FTCktocUwvdHJtdE94c2lVMkV3QnZiMDNFQ2dZRUFweGtJOW5Cb05XV0V3ZUxEb0lPa013WTY0MWwzbXc0MzZNSUcKdHhIajROQmtHeDZQR09kUjRWOG1HbjJwVytmMzYxMTRqdGJOMVBCVWxRL0F5V3kvSjFGdVJsbERFWitKWTU3KwpJMTVPMWVVS1RuaU1OQXR1Rk5POFNmRmhwdHhHeXVIbURlanFVRys2UXpPU3VydWNzWmpTVURBeHA1b0tDcU92CjhBL2pURU1DZ1lBd1hWOHQ2RWpTaFZINEJZL01BTTdkNk96NlVMWXBHbzlzT05EdDV3bUc0MDdoMVczRkpsNkIKOERoV0NVWEdQRUN2T1ZBMnhXTDJlVFFZWUxWY3BQYk0wNGZnT2pLNjFocVpHY2pxUWcyT0Z3emUrdXAzY2ttYQpTQXdQcE9LWGRETWE5VWFrVUQ3UTk0VVRlbDJZeU0yeTVSdXZWRk5iOURVd25TWVJxZm9BeEE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: ldap-cert
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
machine-auth-api-key: aEZZMkdWcVVBWWhjejNFRjRQRUNRVXZLbHpzUUpL
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: machine-auth-api-key
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
service-account-secret: NThMNVYzMnBsUUJ5UlBsZE10aDZuUEJOZnRNTU1W
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: service-account-secret
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
storage-system-jwt-secret: TWRKWW0zUFRFS2NwSDI1UFFXN3ZkZGdCdURIUnN6
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: storage-system-jwt-secret
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
api-key: RDhWVTFYblF6cjZHeGF6OHpPZnhHNEYxTHhHQ0ZI
|
|
||||||
user-id: MDQ1NzJjMGUtZGUxZi00ODZiLWE4YTEtMmYxZjI1NmM1Nzc1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: storage-system
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
thumbnails-transfer-secret: NGtlWEw4c3BJcm9sZzBiRFpBdWlhbExrMnJKM2N5
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: thumbnails-transfer-secret
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
transfer-secret: aU0wdXNRM2RIRXNTQXdzeHgxTXNkTnlqamQwV0p3
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
||||||
labels: null
|
|
||||||
name: transfer-secret
|
|
||||||
namespace: ocis
|
|
||||||
|
|
@ -3,5 +3,7 @@ kind: ServiceAccount
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||||
|
argocd.argoproj.io/hook: PreSync
|
||||||
|
argocd.argoproj.io/sync-wave: "-2"
|
||||||
name: ocis-secret-init
|
name: ocis-secret-init
|
||||||
namespace: ocis
|
namespace: ocis
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue